Employment Law

Adventures in Cybersecurity: How to Respond When Workers Are Duped by Cyberattackers

One of the most exciting aspects of employment law is the inexhaustible list of ways that employees find to get themselves—and their employers—into trouble. Recently, we’ve observed an uptick in electronic security breaches, which makes the close of 2018 a perfect time to refresh ourselves on the “do’s” and “don’ts” of cybersecurity.

Source: MF3d / iStock / Getty

Why Do They Do That?!

Some of the cybersecurity problems employees get themselves into can leave their bosses scratching their heads and wondering, “Why did they do that?!” A great example: spoofing attacks. In the context of information security, spoofing occurs when an individual (or a group) disguises himself as someone else to gain access to information. One scenario that occurs with shocking frequency is when a cyberattacker sends an e-mail purporting to be someone important within the organization.

For example, an employee (especially a new or a low-level employee) receives an e-mail from an address that shows up as Bob Smith, CEO of XYZ Corporation. The employee, eager to please, takes one look at the “From” line and immediately jumps to complete the action requested in the e-mail. Often, the request involves using company resources to send money or gift cards to the recipient. The sums at issue are generally small enough that they don’t trigger fraud alerts, and no one realizes that the request is fraudulent until days or weeks later when the employee follows up with the manager who requested the money or someone in accounting sees a questionable charge.

Look for Real Solutions, Not Easy Ones

When you’re investigating a cyberattack, it’s easy to blame the subject of the attack. Frequently, with a small bit of due diligence, the employee could have avoided the problem. In a spoofing attack, the actual e-mail address is often undisguised. So, while the e-mail says it’s from Bob Smith, CEO of XYZ Corporation, the e-mail account is actually randomassortmentofletters@shadydomain.com. When confronted with this scenario, rather than blaming the victim, a good first step is to analyze the company’s own practices.

Cybersecurity problems don’t arise in a vacuum. Does your company have a cybersecurity program? Have you trained your employees to check the e-mail address before responding to internal inquiries or opening document attachments? Do you have a defined protocol for what to do with suspicious e-mails so they can be investigated? The easy solution is to blame the victim; it’s much harder to conduct an internal inventory and find out that your company bears some of the blame.

Be Careful What You Say

Another common reaction to cybersecurity problems is to make generalizations—frequently involving age—about the types of people who are susceptible to cyberattacks. The common refrain “His generation just doesn’t understand the risk associated with [fill in the blank]” is unfortunately common. While HR professionals are often attentive to these issues, front-line managers are not.

If you hear that type of stereotyping while investigating security breaches, be sure to nip it in the bud. Statements about a person’s age, generation, or inability to learn and adapt to new technology—especially when coupled with disciplinary action—are a recipe for discrimination claims. Don’t compound your problem by creating grounds for a lawsuit when you attempt to fix a cybersecurity breach.

Be Kind, Even if Kindness Isn’t Required

When cyberattacks result in employees losing their own money, one of the first questions from management is, “Do we have to reimburse her?” That can be a complex question, but in most cases, the answer is no. An employee who falls for a cyberscam, such as the spoofing attack described above, is a victim of fraud. Your company didn’t perpetrate the fraud or benefit from it, so you aren’t on the hook for the loss.

The first thing you should advise your employee to do is stop payment and report the fraud if a credit card was involved. Often, the credit card company has resources at its disposal that can limit or reverse the damage that’s been done. But any loss that remains should be the subject of careful consideration. It’s often new, low-earning, and low-level employees who are targeted by sophisticated attackers. The sums at issue sound small, maybe a few hundred dollars all the way up to a couple thousand. But for an employee earning $40,000 per year, that type of loss can be enough to cause serious financial issues.

While employees need to understand the significance of falling prey to a cyberattack and feel the sting of their careless behavior, that goal may be better achieved through progressive discipline.

Remember Your Duties to Report

Finally, if a cyberattack results in a data breach, be aware of your state’s requirements to disclose the breach to customers and clients. Delaware law imposes some requirements for what employers must do when they discover that employees’ personal information may have been compromised. The law defines “personal information” as a Delaware resident’s first name or initial and last name, in combination with his:

Social Security number;

Driver’s license number; or

Bank account, credit, or debit card number.

To qualify as personal information under the third option, the account or card number must be combined with a security code or password that permits access to the individual’s financial account. An employer that learns the security of its employees’ personal information has been breached must conduct a prompt, reasonable investigation to determine the likelihood that the personal information has been or will be misused. If the employer determines that the misuse of information has occurred or is likely to occur, it must notify the affected employees.

Bottom Line

The best plan is one that you make in advance. There’s no better time than now to review your internal response procedures to ensure you’re prepared to respond to a cyberattack and address data breaches. Delaware law doesn’t impose significant compliance obligations, but it does require employers to investigate any potential security breach and notify all affected employees immediately if their personal information might have been compromised. So be ready, and make sure your employees are well trained on basic safety measures for operating in today’s online world.

Featured Resource

Every week, it seems like there is a shocking new #MeToo or #TimesUp controversy dominating the headlines. Amid these powerful movements, companies must be more vigilant than ever to avoid becoming the next newsworthy story.

In this special Insider Report, we’re diving head first into best practices behind supercharging employee engagement to positively impact your bottom line by reducing turnover and boosting productivity-outlining both short-and-long-term strategies for increasing engagement and maintaining it at a high level.

The employee handbook: It sounds so routine, like something that’s been around forever and just needs a quick and easy update every year or so, a task that an HR professional like yourself can handle with ease. But considering the rapidly changing legal landscape and the ever-growing number of ways for employers to find themselves […]

Every week, it seems like there is a shocking new #MeToo or #TimesUp controversy dominating the headlines. Amid these powerful movements, companies must be more vigilant than ever to avoid becoming the next newsworthy story.

HR Solution Showcase

Workforce Management

Kronos is the global leader in delivering workforce management solutions in the cloud. Tens of thousands of organizations in more than 100 countries — including more than half of the Fortune 1000® — use Kronos to control labor costs, minimize compliance risk, and improve workforce productivity. Learn more about Kronos industry-specific time and attendance, scheduling, absence management, HR and payroll, hiring, and labor analytics applications at www.kronos.com

Talent Management

Saba makes talent management software that transforms the working lives of millions of people, and increases growth and success for thousands of businesses around the world. We help organizations create exceptional employee engagement, with a powerful cloud platform that delivers a continuous development experience - from personalized training and collaboration to real-time coaching, goal-setting and feedback. Today, customers worldwide count on Saba to engage their people, connect their teams, and get the critical insight they need to prove the impact of talent on business success. For more information, visit: www.saba.com